apt-key deprecation warning when updating system: "Key is stored in legacy trusted.gpg keyring"

Question

Recently I've noticed some issues when running apt where the system will warn me of a keyring deprecation:

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
8 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: https://packages.microsoft.com/repos/edge/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://download.sublimetext.com/apt/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

This doesn't stop me from performing the update, but I would much rather not see this when updating my system. How are we supposed to store trusted GPG keys going forward?

Answer 1

One way to resolve this is to export the GPG key from the deprecated keyring and store it in /usr/share/keyrings. Fortunately, it's not too difficult:

0. Open Terminal (if it's not already open)

1. List existing keys:

   $ sudo apt-key list
   Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
   /etc/apt/trusted.gpg
   --------------------
   pub   rsa4096 2017-05-08 [SCEA]
         1EDD E2CD FC02 5D17 F6DA  9EC0 ADAE 6AD2 8A8F 901A
   uid           [ unknown] Sublime HQ Pty Ltd <support@sublimetext.com>
   sub   rsa4096 2017-05-08 [S]
   pub   rsa2048 2015-10-28 [SC]
         BC52 8686 B50D 79E3 39D3  721C EB3E 94AD BE12 29CF
   uid           [ unknown] Microsoft (Release signing) <gpgsecurity@microsoft.com>
   

2. From here, we can export a key:

   sudo apt-key export BE1229CF | sudo gpg --dearmor -o /usr/share/keyrings/microsoft.gpg
   

   ^{Note: The BE1229CF value comes from the last 8 characters of the pub code.}

   The following message will likely appear:

   Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
   

3. Now we can update our apt source file for the repository (e.g., /etc/apt/sources.list.d/microsoft.list), adding a signed-by tag:

   deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/repos/edge/ stable main
   

4. Update apt to confirm the message is gone:

   sudo apt update
   ...
   Reading package lists... Done
   Building dependency tree... Done
   Reading state information... Done
   All packages are up-to-date.
   W: https://download.sublimetext.com/apt/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
   

5. Remove the original signature:

   sudo apt-key del BE1229CF
   

This can be done with each of the warning messages. Once done, apt will no longer complain.

Answer 2

try this

cd /etc/apt
sudo cp trusted.gpg trusted.gpg.d

Answer 3

The easy way to fix these warning messages generated by sudo apt update...

W: https://linux.teamviewer.com/deb/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://apt.keepsolid.com/ubuntu/dists/groovy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://linux.dropbox.com/ubuntu/dists/disco/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://download.virtualbox.org/virtualbox/debian/dists/hirsute/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://download.opensuse.org/repositories/home:/IBBoard:/cawbird/xUbuntu_22.04/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://ppa.launchpad.net/solaar-unifying/stable/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://ppa.launchpad.net/team-xbmc/ppa/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://ppa.launchpad.net/yannubuntu/boot-repair/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

Note: These warning messages can be generated by any enabled repo or ppa in Software & Updates "Other Software" tab.

Example fix:

---

For this warning message with sudo apt update...

W: http://ppa.launchpad.net/team-xbmc/ppa/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

---

We look in sudo apt-key list and find this entry for xbmc...

pub   rsa1024 2009-01-20 [SC]
      1897 01DA 570C 56B9 488E  F60A 6D97 5C47 91E7 EE5E
uid           [ unknown] Launchpad PPA for XBMC for Linux

---

Then we convert this entry to a .gpg file, using the last 8 numeric characters from above...

sudo apt-key export 91E7EE5E | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/team-xbmc.gpg

---

Repeat the above commands for each warning message generated by sudo apt update.

Note: Partially taken from the accepted answers here and here.

Answer 4

Considering all the good suggestions provided, I've crafted a helper oneliner to automate the process for all keys:

sudo apt-key list 2>&1 | grep -E '(trusted.gpg.d)' -A 3 | grep -v '^\-\-' | grep -v '^pub ' | sed 's@.*/trusted.gpg.d/\(.*\)@\1@g' | awk 'NR%2{printf "%s ",$0;next;}1' | awk '{print "sudo apt-key export "$10$11" | sudo gpg --dearmour -o /usr/share/keyrings/"$1}' | xargs -I{} eval("{}")

Answer 5

There is no need to edit sources.list if you use the apt/trust.gpg.d/ folder and you're on debian.

Follow the other steps to get the key id:

$ apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa2048 2012-04-01 [SC]                                                                                                                                  
      A0DA 38D0 D76E 8B5D 6388  7281 9165 938D 90FD DD2E        
uid           [ unknown] Mike Thompson (Raspberry Pi Debian armhf ARMv6+VFP) <mpthompson@gmail.com>                                                            
sub   rsa2048 2012-04-01 [E]

And then run:

apt-key export 90FDDD2E | sudo tee /etc/apt/trusted.gpg.d/raspberry.debian.armhf.asc

You can delete the trust.gpg file, but the errors go away without deleting it.

Answer 6

I solved it with some commands like below.

gpg --refresh-keys

this will update all the key resolve the problem

Answer 7

In my case, solutions above did not work. Maybe it's because it is a specific case. The warning:

9 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: https://packages.cloud.google.com/apt/dists/coral-cloud-stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://packages.cloud.google.com/apt/dists/coral-edgetpu-stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

This fixed it for me:

wget -O- https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo tee /etc/apt/trusted.gpg.d/coral-edgetpu.gpg

Answer 8

I've taken the answer from @DiRaOL and converted it to a Python script, which I find to be much more readable (albeit longer) than using awk.

import subprocess
import re
from collections import defaultdict
import pathlib
# List all apt-keys
proc = subprocess.Popen(
    'sudo apt-key list',
    shell=True,
    stdout=subprocess.PIPE,
    stderr=subprocess.PIPE)
stdout, stderr = proc.communicate()
Build a regex that matches a 20 byte hex string
key_pat_part = '  '.join(['[A-F0-9]{4}']  10)
gpg_pat = re.compile(' *' + key_pat_part)
Parse stdout to map filenames to keys
lines = stdout.decode('utf8').split(chr(10))
current_fpath = None
path_to_keys = defaultdict(list)
for line in lines:
    if set(line) == '-':
        current_fpath = None
    if line.startswith('/etc/apt/trusted'):
        current_fpath = line
    if gpg_pat.match(line):
        key = line.replace(' ', '')
        path_to_keys[current_fpath].append(key)
Build commands to export to the keyrings path and execute them
keyrings_dpath = pathlib.Path('/usr/share/keyrings/')
for fpath, keys in path_to_keys.items():
    if 'trusted.gpg.d' in fpath:
        assert len(keys) == 1
        key_tail = keys[0][-8:]
        old_fpath = pathlib.Path(fpath)
        new_fpath = keyrings_dpath / old_fpath.name
        if not new_fpath.exists():
            command = f'sudo apt-key export {key_tail} | sudo gpg --dearmour -o {new_fpath}'
            subprocess.check_output(command, shell=True)

I've also written this such that the above command can be wrapped in:

python -c " if 1:
    <the code>
"

and executed in bash.